1. Field of the Invention
The present invention relates generally to data access and security for entities communicating over a data network, and more particularly to a security mechanism for an ordinarily insecure network communication protocol such as the Simple Network Management Protocol (SNMP).
2. Description of the Related Art
The Simple Network Management Protocol (SNMP) is a standard applications-level protocol by which management information for a network element may be inspected or altered by logically remote users. SNMP is widely used for managing the Internet and other networks using the Transmission Control Protocol (TCP/IP) or the User Datagram Protocol (UDP) for client-server communication. SNMP, however, is not limited to any particular client-server communication protocol, since SNMP governs the content and protocol of messages for accessing the management information and not the particular manner in which the messages are transmitted. SNMP is defined in an Internet standards document, RFC 1157, by J. Case, M. Fedor, M. Schoffstall, and J. Davin entitled "A Simple Network Management Protocol (SNMP), May 1990, incorporated herein by reference.
SNMP messages are transmitted between a client (called a "manager" in the RFC 1157) and a server (called an "agent" in the RFC 1157) in a network. Each SNMP message is an ASN.1 standard data structure that includes an SNMP version number of type INTEGER, a community name of type OCTET STRING (a string of 8-bit bytes), and data of type ANY. The agent has an authentication service that uses the community name as a kind of password. If the authentication service determines that the community name is not appropriate for access to the agent, then the agent will reject the message.
The SNMP specification defines a protocol data unit (PDU) for use in the data portion of five different classes of SNMP messages. The PDU is an ANS.1 data structure including a Request ID of INTEGER type, an Error Status of INTEGER type, an Error Index of INTEGER type, a VarBind of SEQUENCE type, and a VarBindList which is a SEQUENCE OF VarBind. The Request ID identifies whether the PDU is for a Get request for obtaining values of instances of managed objects, a Get next request for obtaining the next value in a list of values, a Get response message for responding to a request message, a Set request for changing the values of instances of the managed objects, and a Trap message. The managed objects for a particular network element are defined in a data structure called a Management Information Base (MIB). The MIB includes Object Identifiers (OID) of the managed objects in the network element, and the OIDs are expressed as path names.
SNMP provides a very low level of security. There is a threat of eavesdropping or snooping. There is a threat that an unauthorized entity may alter in-transit SNMP messages. Moreover, the "community string" is accessible to anyone who may tap into the network, so that an unauthorized entity may assume the identity of an authorized entity. To guard against these threats, it is desired to have a mechanism for encrypting an SNMP message, and verifying that a message has not been altered in transit and has originated from a particular entity. However, it is also desired for the security mechanism to be as compatible as possible with the SNMP data structures and protocols.
An experimental protocol for Internet security is described in RFC 1910 by the Network Working Group, G. Walters, Editor, "User-based Security Model for SNMPv2," Feb. 1996, incorporated herein by reference. The Network Working Group recognizes that the security mechanism should entail no changes to the basic SNMP network management philosophy. In support of data integrity, a message digest is calculated over an appropriate portion of an SNMPv2 message and included as part of the message sent to the recipient. In support of data authentication, a secret value is both inserted into, and appended to, the SNMPv2 message prior to computing the digest; the inserted value is overwritten prior to transmission and the appended value is not transmitted. The secret value is shared by all SNMPv2 entities authorized to originate messages on behalf of the appropriate user. In support of data confidentiality, an encryption algorithm is required. An appropriate portion of the message is encrypted prior to being transmitted. Only the PDU is protected from disclosure by the privacy protocol. For an authenticated SNMPv2 message, the message digest is applied to the entire message given to the transport service. As such, message generation first privatizes the PDU, then adds the message wrapper, and then authenticates the message. This SNMPv2 message is an ASN.1 data structure with the following syntax:
______________________________________ Message : : = SEQUENCE { version INTEGER { v2 (2) }, parameters OCTET STRING, -- -- &lt;model = 1&gt; -- -- &lt;qoS&gt;&lt;agentID&gt;&lt;agentBoots&gt; &lt;agentTime&gt;&lt;maxSize&gt; -- -- -- &lt;userLen&gt;&lt;userName&gt;&lt;authLen&gt; &lt;authDigest&gt; -- -- -- &lt;contextSelector&gt; data CHOICE { plaintext PDUs, encrypted OCTET STRING } ______________________________________
Where &lt;qoS&gt; is a quality of service parameter for selecting either: (1) no authentication nor privacy; (2) authentication, no privacy; (3) authentication and privacy; or (4) generation of report PDU allowed. If the qoS specifies that the message is to be authenticated, then an MD5 digest value is computed over the octet sequence representing the concatenation of the serialized message value and the user's authentication key. The &lt;authDigest&gt; field is then set to the computed digest value. (MD5 is a cryptographically-strong hashing function described in R. Rivest, "The MD5 Message-Digest Algorithm," RFC 1321, Apr. 1992.")
Although the experimental protocol of RFC 1910 can provide integrity, authentication, and confidentiality, it is far from simple and is a departure from the SNMP network management philosophy and protocol.